mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-06-05 02:50:46 +00:00
nss: ignore CVE-2022-3479
Investigation based on https://bugzilla.mozilla.org/show_bug.cgi?id=1774654 leads to following: * fixed in 3.87 (https://hg.mozilla.org/projects/nss/rev/a7f363511333b8062945557607691002fd6e40b9) * changed code was introduced in 3.77 (https://hg.mozilla.org/projects/nss/rev/be6a97823bfe10fa08e17c9584938a2d525a38da) * NVD claims fix in 3.81, but there is no evidence for it in commit history (https://hg.mozilla.org/projects/nss/graph/a7f363511333b8062945557607691002fd6e40b9) * Debian also says for old versions "nss <not-affected> (Vulnerable code not present/was introduced later)" (https://security-tracker.debian.org/tracker/CVE-2022-3479) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit is contained in:
Peter Marko
Khem Raj
@@ -289,3 +289,6 @@ CVE_CHECK_IGNORE += "CVE-2006-5201"
|
||||
# CVES CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698 only affect
|
||||
# the legacy db (libnssdbm), only compiled with --enable-legacy-db.
|
||||
CVE_CHECK_IGNORE += "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698"
|
||||
|
||||
# vulnerability was introduced in 3.77 and fixed in 3.87
|
||||
CVE_CHECK_IGNORE += "CVE-2022-3479"
|
||||
|
||||
Reference in New Issue
Block a user